Why Should I Care How I Log In?

Do you work with sensitive or confidential information? I am sure you do and as you continue reading, you will learn more about two security models that are worth investigating and implementing in your business environment. This article briefly focusses on Multi-Factor Authentication and Single Sign-On while defining two additional processes that extend security to harden the network.

What are these two security models and what are the differences between them? Are they complementary or competitive in their support of logins and security? Let’s begin with their definitions:

Multi-Factor Authentication (MFA):

An electronic method where the end user signing into a website or application is prompted to enter two or more verifiable details as authentication evidence.

Single Sign-On (SSO):

An authentication process that allows a secure log in, across multiple websites, applications, or related services without having to reenter login credentials. This process is based on a trust relationship for a secure login by using a tool (OKTA, DUO, OneLogin…) to build a token that is entered to authenticate the user.

These security models are complementary to each other. They provide enhanced security and can be used independently or in conjunction without impacting the end user.


MFA is inexpensive to create and manage as the end user manages their responses. This security model is just one step above simply using a username and password.

Often MFA is referred to as the Q&A for login.

Examples: What is your mother’s maiden name? What is the name of the hospital where you were born?

Sometimes, MFA gets confused with two-factor authentication (2FA). 2FA adds additional security layers, such as randomly generated tokens or biometrics.


Conversely, SSO requires the use of other tools, knowledge, and intervention by an end user during the login process. That intervention may be in the form of a smart phone application or phone call that prompts the end user when logging into a system. This security model leverages more advanced identity management tools to mitigate risks. These models could include the use of a smart card, Security Assertion Markup Language (SAML), Kerberos, a location factor like GPS, or even a knowledge factor (PIN).

Examples: The end user begins to log onto their computer. The computer sends a prompt to the end user’s desk phone to authorize access.

A smart phone application prompts the end user to Approve/Deny access.

Do I have to use an authentication process?

The first answer, speak with your information technology (IT) team. They will know what processes, tools, and options are currently in use or could be deployed in your environment. They will know any compliance or regulatory requirements associated with your business and can address your questions. To answer a few more questions, please continue reading:

  1. MFA and SSO are best used together.
  2. If you have highly sensitive information, 2FA is worth investigating. 2FA extends MFA by using biometrics and/or time sensitive and rotating codes.
  3. Adding a Secure Socket Layer Virtual Private Network (SSL-VPN) with a Zero Trust Network Access (ZTNA) policy and procedures to your organization will exponentially expand security.

Additional Comments

As mentioned above, using MFA and SSO together provides security; however, extending those security requirements hardens your network from cyber-attacks. Leveraging “next generation” technologies in security can keep your resources from being easily attacked but can also open up access for mobile users making their work environment user friendly and similar to that when onsite.

Installing an SSL-VPN makes the “onsite versus offsite” access to network resources a moot issue. Services can be delivered to offsite users with relative ease, is managed, and supportable. This includes printing to the office, accessing file shares, and using applications that are only available when on-network.


  • SSL-VPNs provide direct access, via a tunnel, to an endpoint on the corporate LAN. This can be a workstation, server, application, file share, printer, or service.

Installing a ZTNA appliance provides more granular level access control. Through this tool, applications, services, file storage, etc. can be allowed or denied, depending on the end user or their needs.


  • ZTNA will only provide access to authorized applications and services.

When dealing with your organization’s sensitive information and security concerns, it’s important to start the conversation with your IT department. However, I hope this information provided you with a better understanding of the different types of security models available.

October 9, 2023

Routine, Routine, Routine

I have a routine when it comes to backups. I backup my email, devices, and important files and then I backup our company and our client’s data. Yet, the routine rarely changes, other than by size and time. Every time I engage a backup, I watch the clock tick and tock.

The service IT provides is the ability to recover from a hiccup, an end user issue, or (hopefully not) a catastrophic failure. I do not care for any of those scenarios as the information is often vague or does not provide adequate details about the event or its root cause. Nonetheless, a backup will become critical to your company’s operation and for your clients’ peace of mind during those situations.

For my organization, backups can be the difference between a few minutes, days, weeks, or even months of data having to be restored. Not only is the return of the data important, but the soft hours of having staff re-enter information and the error potential make that situation untenable.

It is your IT professionals’ role to secure your data for the company. They are to have a plan, a disaster recovery, and a business continuity plan. This plan should outline the backup schedule, the duration of a backup, a communication protocol, and define a data recovery testing process with adequate storage to perform all the above functions.

  • You or your business should have an immutable version of the critical business data you have online. This data source should not be on your network or accessible from your network. Not only does this save you if a physical issue (fire, flood, tornado) were to impact your business, but the immutability of a data source allows for restoration with less impact to your business during a cyberattack.
  • Depending on the sensitivity of data, the configuration of a backup schedule and retention is equally important. How often are full and partial backups conducted? How often are incremental backups stored? How accessible are the backups for restoration? Who has access to the backups? Where are they stored? Is the data in its original state or is it encrypted or protected by other services such as two-factor authentication?
  • Fully document the process, access and test the solution. Not just once, but regularly. Be diligent in pointing out anomalies or failures and certainly celebrate success too.

This March 31st, World Backup Day will come and go. The effort you put into securing data may make this day even more meaningful to you.

March 31, 2023

World Backup Day

How often do you get annoying messages popping up on your phone saying… “Your iPhone has not been backed up for 32 weeks.”  You click OK, ignore it, and move on.

Admit it—you saw the message for multiple weeks, yet you ignored it.  Unfortunately, you can’t ignore it this time because disaster struck.  Your device rebooted during the middle of the day and viola: a factory reset!  You shake your head, and ask yourself, “what just happened?”  Of course, in the ensuing minutes and hours you realize just how important that device was to your daily operations.  Now, you are in panic mode.  You need a file for a meeting…

This is a common scenario for IT staff.  The technician listens with compassion and asks when the last backup was made and then proceeds to try and recover your files.  In most cases, the technician will get your device operable, but you will likely lose some recent files.  As end users, we rely on technology to serve our needs, but we fail to perform regular maintenance and back up our systems on a scheduled basis.  The busyness of life supersedes common sense.

This March 31 is World Backup Day.  Challenge yourself to commit to backing up your devices and files today and set time on your calendar to develop a regular backup schedule.  Follow these steps:

  • Avoid having only one backup from when you first set up your phone or computer.  This means that you do not dismiss those annoying messages, but review and respond accordingly.
  • Prioritize files and set up regular backup schedules to automatically backup your files and devices. 
  • Invest in an auxiliary storage device, as a preventative measure and conduct regular backups. 
  • Work with your IT staff to configure your computer to store your files on the server, in the cloud or on a storage appliance.  Most businesses have backups that are also backed up.

Remember, others rely on your work too!  Keep your cool, and take a few minutes to make a backup plan, it goes a long way to resolving any issue.

March 31, 2022

Protective Tips on National Technology Day

Technology moves at break-neck speed.  Every time I turn around there is something new for me to learn or do.  Couple those changes with nefarious attempts to collect and use my personally identifiable information and I’ve entered the cyberthreat zone.  What can you and I do to protect our name and information?  Here are a few simple tips:

  • Never open an email attachment when you do not know the person sending the message.  Think twice about the title, the way the subject or file name is written “emojis, special characters, misspelled words”, the action requested “can you call me at this number?” and the expedience “asap” of the message.  Often, these mistakes are the tell-tale sign of a phishing attempt.  Check the number to see if it is that person’s number.  Look at the email address to confirm it is the right email for that person and never allow them to control the speed of your response.
  • If someone “spoofs (hacks an email) someone you know” and sends you an email asking for your cell phone number, don’t oblige them.  This is a newer scam used to bypass email while hiding their true identity from you. This is done to coerce or convince you to buy and send them gift cards as they are too busy or in a meeting and need it asap.
  • If you get an email in your mailbox that has multiple recipients, but you do not know those other recipients, check to see if the names are in alphabetical order.  If so, the person who sent the message was likely hacked and their address book was compromised.  Delete the message.  If you know the sender, you might consider picking up the phone and calling them to let them know that their email has been compromised.

With due-diligence, we can reduce scams that steal data while collecting our private information.

January 5, 2022